thisistest Posted October 12, 2009 Posted October 12, 2009 hi.this is test<------- 12-10-2009 23:39:49 ------->\ArmadilloVersion 7.00 Beta-1.exe!- Protected ArmadilloProtection system (Professional)!- <Protection Options>Standard protection or Minimum protection!- <Backup Key Options>Fixed Backup Keys!- <Compression Options>Better/Slower Compression!- <Other Options>4ABFFC80 Version 7.00Beta3 28-09-2009!- Elapsed Time 00h 00m 02s 234msArmadilloVersion 7.00 Beta-1.rar 1
EvOlUtIoN Posted October 12, 2009 Posted October 12, 2009 Ridicolous protection.../>http://www.sendspace.com/file/mcisymThe original unpackme of this was 1000 times harder.If it's really armadillo 7, i can say that it is equal to 6, 5 and 4.
What Posted October 13, 2009 Posted October 13, 2009 Ridicolous protection...If it's really armadillo 7, i can say that it is equal to 6, 5 and 4.Ditto on that note. Here is my dump too. It took me longer to remember how to fix the imports (haven't reversed in quite sometime), than it did to fix the hardware id (I never even attempted arma's hwid before).
EvOlUtIoN Posted October 13, 2009 Posted October 13, 2009 It took me about 10 minutes or less... Import fixing is a retn, hardware id have to change eax value inside a call
What Posted October 13, 2009 Posted October 13, 2009 (edited) We appear to have taken the same approach to unpacking it then because I also did the VirtualProtect/RET method and changed the eax after a function. I had originally tried the GetModuleHandle way, but I couldn't remember how to do it, I couldn't remember the VirtualProtect way completely either. It took me a while to remember "push 100". I should have just reversed it to fix the imports, but since the developers didn't change anything, I didn't see the point of doing so. Edited October 13, 2009 by What
SunBeam Posted October 13, 2009 Posted October 13, 2009 @EvOlUtIoN: HWID is fixable with changing a DWORD if I recall. That DWORD is put in 2 buffers later on, one for sprintf-ing to screen and forgot what the other buffer does. But mainly, yes :-) As you said..
EvOlUtIoN Posted October 13, 2009 Posted October 13, 2009 normally to change hwid i patch a call with "mov eax, xxxxxxxx", just before xoring it with 0.
Fungus Posted October 14, 2009 Posted October 14, 2009 This is waste of time... I'm not even going to bother posting dump. Unpacked in under 5 minutes :/
Loki Posted October 14, 2009 Posted October 14, 2009 Keygenning is the same too - this one is V3 Short level 10 though.
SunBeam Posted October 16, 2009 Posted October 16, 2009 Actually.. it's Beta 3 ;-) Don't ask how I know, a surprise is coming.. soon enough ;-)
LCF-AT Posted May 20, 2010 Posted May 20, 2010 Hi,hmmm HWID & CopyMem!Unpacker Tool does not work so try to unpack it manually.Here my UnpackedFile-Test it.greetztest_UnpackMe_ArmadilloVersion 7.20_Unpacked.rar 1
thisistest Posted June 29, 2010 Author Posted June 29, 2010 ArmadilloVersion 7[1].00 Beta-1unpacked test it!armadilloversion 7.00 beta-1_dump_.rar
ghandi Posted June 30, 2010 Posted June 30, 2010 (edited) Loki: Keygenning is the same too - this one is V3 Short level 10 though. SunBeam: Actually.. it's Beta 3 ;-) Don't ask how I know, a surprise is coming.. soon enough ;-) Looking back on this now, who knew that this was such an omen for those keygenning Armadillo? Seems to have slowed the flow of keygens for a bit, nobody has claimed credit (yet) for breaking the latest incarnation of V3.HR,Ghandi Edited June 30, 2010 by ghandi
Iona Posted July 23, 2010 Posted July 23, 2010 Hi. This is test only.I do not need unpacked file.I search people, how to unpack this file.Version 7.40Beta1/>http://rghost.ru/2184728(769 КБ)MD5 019a3dadfc804d1a610aa598537e745bSHA1 afe718c9639855c207870a4dc7586058729fc54d
Lito Posted July 30, 2010 Posted July 30, 2010 (edited) This section code of armadillo include in security DLL (extract whit armaraider) contains the secret of armadillo. i think that is fixed in last updates.10011536 6A 04 PUSH 4 10011538 8D85 18FBFFFF LEA EAX,DWORD PTR SS:[EBP-4E8] 1001153E 50 PUSH EAX 1001153F 8D8D 20FBFFFF LEA ECX,DWORD PTR SS:[EBP-4E0] 10011545 51 PUSH ECX 10011546 E8 15A70400 CALL XXXXXXXXX.1005BC60 -> call to Sha algorithm 1001154B 83C4 0C ADD ESP,0C1001154E 8B95 20FBFFFF MOV EDX,DWORD PTR SS:[EBP-4E0] 10011554 3395 24FBFFFF XOR EDX,DWORD PTR SS:[EBP-4DC]1001155A 3395 28FBFFFF XOR EDX,DWORD PTR SS:[EBP-4D8]10011560 3395 2CFBFFFF XOR EDX,DWORD PTR SS:[EBP-4D4]10011566 3395 18FBFFFF XOR EDX,DWORD PTR SS:[EBP-4E8]1001156C 8995 14FBFFFF MOV DWORD PTR SS:[EBP-4EC],EDX10011572 8B85 B8F8FFFF MOV EAX,DWORD PTR SS:[EBP-748]10011578 8B88 14050000 MOV ECX,DWORD PTR DS:[EAX+514]1001157E 898D F8F8FFFF MOV DWORD PTR SS:[EBP-708],ECX10011584 8B95 14FBFFFF MOV EDX,DWORD PTR SS:[EBP-4EC]1001158A 3B95 F8F8FFFF CMP EDX,DWORD PTR SS:[EBP-708] if result of XOR of all DWORD = token implemented in certificate?10011590 0F85 41010000 JNZ 100116D7 IMpORTANT: if equal then the token key xor with HF = valid token key for check key routineAnd!..where is the checsum of certificate?... IN MEMORY 02827E79 4C 00 2B 50 52 4F 4A 2E 44 4C 4C 00 2B 4D 53 4A L.+PROJ.DLL.+MSJ02827E89 41 56 41 2E 44 4C 4C 00 2B 4F 4C 45 33 32 2E 44 AVA.DLL.+OLE32.D02827E99 4C 4C 00 2B 56 44 46 56 4D 38 2E 44 4C 4C 00 2B LL.+VDFVM8.DLL.+02827EA9 4D 46 43 37 31 2E 44 4C 4C 00 2D 2A 00 00 1B 0B MFC71.DLL.-*.. type of level key02827EB9 D0 20 49 CF A3 B3 25 CA 92 E9 BD B8 A6 63 27 00 Ð IÏ£³%ʒ齸¦c'. cheksum for sha algorithm.02827EC9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@02827ED9 01 00 00 04 DE 64 54 C3 80 55 A4 7E F3 2C A5 30 ..ÞdTÀU¤~ó,¥002827EE9 47 E3 DA DE 4C 82 27 53 AE 15 55 70 FE EC AE F9 GãÚÞL‚'S®Upþì®ù02827EF9 E8 38 CC 1F DA 14 F8 C1 73 80 04 85 D3 C7 5C FF è8ÌÚøÁs€…ÓÇ\ÿ02827F09 81 D3 77 60 DE 55 A3 C5 5B 3E EC ED A2 5F 72 E8 Ów`ÞU£Å[>ìí¢_rè02827F19 69 26 91 87 92 59 D3 B0 E5 10 AC 19 79 71 A6 F7 i&‘‡’YÓ°å¬yq¦÷02827F29 57 FB B5 9F 58 99 62 DE 73 30 70 E6 59 8E E9 7B WûµŸX™bÞs0pæYŽé{02827F39 4B 45 F9 80 98 C1 9F 7A D3 0F 52 A2 62 8E 50 EC KEù€˜ÁŸzÓR¢bŽPì02827F49 C6 7D F4 5C E6 31 7E B3 E7 F7 8B D5 13 1E FE 0C Æ}ô\æ1~³ç÷‹Õþ.02827F59 42 84 39 77 AF 53 C1 17 80 9F 68 04 0E 00 A2 E6 B„9w¯SÁ€Ÿh.¢æ02827F69 DF CC 76 F9 6D 6C FF 38 5A 24 FC B5 10 88 9C F9 ßÌvùmlÿ8Z$üµˆœù02827F79 AC 13 88 15 30 49 1A EC 1D 13 32 49 31 CB A1 1C ¬ˆ0Iì2I1Ë¡02827F89 3B AD DC DA 88 FC 72 4A D2 EA 8E 61 67 DD F0 EF ;ÜÚˆürJÒêŽagÝðï02827F99 6F 78 07 9D A3 A9 4F 60 C1 7E F2 D7 78 B9 01 66 ox£©O`Á~ò×x¹f02827FA9 18 1F 44 1A 4A FC 1E 2D 6B 0C 8A 2E 57 2B 94 8C DJü-k.Š.W+”Œ02827FB9 82 1C BC E4 9F 60 58 04 CD A2 F7 7F 4C 41 6D BB ‚¼äŸ`XÍ¢÷LAm»02827FC9 67 DF 9F F1 97 19 1A C1 39 13 0E 67 98 C1 9F 7A gߟñ—Á9g˜ÁŸz02827FD9 D3 0F 52 A2 62 8E 50 EC C6 7D F4 5C C2 DD 85 58 ÓR¢bŽPìÆ}ô\ÂÝ…X02827FE9 FC 93 F5 B8 94 5B 29 55 70 E6 B4 94 6E 20 8B 13 ü“õ¸”[)Upæ´”n ‹02827FF9 5C 1E D1 68 EC 1D 4C 4E 4B 71 AC 1D D0 5F 34 53 \ÑhìLNKq¬Ð_4S02828009 0D B0 AB 8D 5B 32 1E 02 1D 71 64 1C 17 7B 9C 6F .°«[2qd{œo02828019 E9 EF 87 94 00 00 00 00 00 00 00 00 00 00 00 00 é............02828029 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828039 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828049 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828059 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828069 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828079 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828089 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828099 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................028280A9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................028280B9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................028280C9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................028280D9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................028280E9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................028280F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828109 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828119 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828129 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828139 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828149 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828159 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828169 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................02828179 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................this is a example with one certificate, but certificates are continuous. Two bytes for level key an four fot checksum o sha algorithm.regards. Edited July 30, 2010 by Lito 1
qpt^J Posted July 31, 2010 Posted July 31, 2010 Lito, where you got, that it's a sha, lol? I checked out this file, and seems, it's protected with Unsinged level 0, that's why you can't find that checksum. Anyway, I'll give my keygen, if the author publish a 1 correct serial
Lito Posted July 31, 2010 Posted July 31, 2010 Lito, where you got, that it's a sha, lol? I checked out this file, and seems, it's protected with Unsinged level 0, that's why you can't find that checksum. Anyway, I'll give my keygen, if the author publish a 1 correct serial Its only valid for signed Keys.
Lito Posted July 31, 2010 Posted July 31, 2010 Lito, where you got, that it's a sha, lol? I checked out this file, and seems, it's protected with Unsinged level 0, that's why you can't find that checksum. Anyway, I'll give my keygen, if the author publish a 1 correct serial sha or MD5 its not important
qpt^J Posted July 31, 2010 Posted July 31, 2010 (edited) huh?i did not understood you. what is valid for signed keys?----UPDATE----seems, you never reversed armadillo serial verification by yourself,Important is to figure out the protection, rather than find checksum & publickey by tools or tutorials Edited July 31, 2010 by qpt^J
Lito Posted July 31, 2010 Posted July 31, 2010 (edited) I am remembering. The call to the algorithm is done if the keys are signed. Though I do not remember it very well. but its works. qpt^J thanks, but the information its only for the one who understands it. Ghandi, evolution, lena, etc. i think that they understand it. Edited July 31, 2010 by Lito
qpt^J Posted July 31, 2010 Posted July 31, 2010 It works like this after a call of "today", you will jump one of the calls below First call is for v2 signed,v3 signed,v3 short. Second call is v1 unsigned. here, you have to decrypt serial using blowfish, decrypted serial have this structure symkey xor HWID(32 bit) ,other info(16 bit),today(16 bit) haha, sorry, but i really did not understand you 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now